I'm a little confused with configuring alternative execution flows.
I currently have the follow configured.
Cookie <- Alternative
Username Password Form <- Required
TOTP Configured? <- Alternative
OTP Form <- Optional
No, SMS then <- Alternative
SMS Auth <- Optional
As you can guess, I want SMS auth to trigger if OTP is not configured for the user.
At the moment it seems that if OTP isn't configured, the OTP Form is skipped and authentication is successful and SMS is skipped. Is there a way to tell keycloak the if OTP is not configured then the 'TOTP Configured?' execution flow has failed, so the 'No, SMS then' execution flow is actioned?
(In the source code it looks like context.success() is called if OTP is not configured for the user.)
I'm using Keycloak 7.0.0
Thanks,
Stuart
Usually top level executions or sub-flow must be Alternative for browser flow (Cookie is enough for authentication in application if you are already passed Password && (OTP || SMS)). From my point of view flow should be like this:
Cookie -> Alternative
Forms (Sub-flow) -> Alternative
Password -> Required
2FA (Sub-flow) -> Required
OTP -> Alternative
SMS -> Alternative
So if we reach credentials verification stage: we MUST pass Password verification then we MUST pass one of 2FA authenticators (OTP or SMS). But SMS and OTP authenticators should be properly implemented (Possibly you will have to tune their source code. See keycloak src and Keycloak customization docs).
Related
I am using a keycloak auth Spi with sms auth which works finde for browser flow.
My requirement is to use it with direct access grant. Therefor I have to create a formless challenge which conntext the auth session between two requests.
I am struggling with passing the parameters in the response. I've analyzed the request when entering the sms otp in the login form. I know the request object in detail but I cannot figure out where to get the required parameters from the sessin object within the authenticate methid.
Params are:
a cookie
code
client_id
execution
session_code
tab_id
My question:
Is it even possible to use this flow without a form?
Where do I get the parameters from?
I want to add a question into the Keycloak auth flow after the user’s name and pw have been authenticated to ask what type of two factor authentication they prefer. The choices are OTP or SMS. If the user has already made the choice before, I will skip the question and continue to either OTP or SMS authenticators. Need some advice on how to implement this.
I have created an authenticator class that shows a template. Is that right? I have seen examples of creating a required action.
How do I skip the question if the user has already made his choice? I tried using returning false from configuredFor() but that just halts the flow with an error since my authenticator is set as required.
I plan on storing the user’s choice in a user attribute or possibly a cookie. Any thought on which is better?
As always, thanks.
You can use a Conditional authenticator to check the condition, there is an example of this in the server developer documentation: https://www.keycloak.org/docs/latest/server_development/#algorithm-overview
We are using Keycloak v4.5.0.Final and configured OTP for all the users. Is it possible to generate backup codes (like how google does for their dual factor authentication) in case the user doesn't have the Google Authenticator handy?
Yes, but you will have to create your own implementation for OTP authenticator. In my company we customized default OTP authenticator and Configure OTP required action, so now after OTP initiation user will receive OTP recovery code, that will be stored in his attributes (e.g. Users -> john.doe -> Attributes). Then when user has to provide next OTP code, he also can hit "Lost device" link at OTP code form (we've also customized Keycloak themes) and provide recovery code, and reinstall OTP settings.
Keycloak customizing docs
I want to send Keycloak user reset password email from my web app without using Keycloak SMTP configuration. For that I am trying to generate the reset password link but I am not sure how to generate the code in URL. Are there any API call to generate action code or full reset password URL ? Keycloak generate something like below. I need to generate same. That's the objective.
https://server.com/auth/realms/xxx/login-actions/action-token?key=ffdfdfdfd
There is no such API directly exposed in Keycloak.
Keycloak provides action tokens that permits its bearer to perform some actions, e.g. to reset a password or validate e-mail address.
Perhaps you could have a look at the action tokens SPI:
http://www.keycloak.org/docs/3.3/server_development/topics/action-token-spi.html
This way you can handle your use case.
I have a OneLogin account and have set up G Suite. Everything works but I have a couple problems:
After configuring G Suite, if a user logs into Gmail to write an email, the user gets redirected to the OneLogin login page. How can I disable this?
Since there is no password with oauth, how should I configure Gmail clients with oauth/saml enabled?
You can't disable this. You can configure IP who don't apply the SSO.
You need to create application specific password, you can create one after you enable the second factor.